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DESIGN OF ANALYTICAL FAILURE-DETECTION SYSTEMS USING SECONDARY OBSERVERS 


M. Sidar* 

Ames Research Center 


SUMMARY 


The problem of designing analytical failure-detection systems (FDS) for sensors 
and actuators, using observers, is addressed. These failure-detection systems can 
be applied to linear, constant, and possibly time-varying multi-input, multi-output 
systems with measurement noise. The use of observers in FDS is related to the exam- 
ination of the n-dimensional observer error vector which carries the necessary 
information on possible failures. The problem is that in practical systems, in which 
only some of the components of the state vector are measured, one has access only to 
the m-dimensional observer-output error vector, with m ^ n. In order to cope with 
these cases, a secondary observer is synthesized to reconstruct the entire observer- 
error vector from the observer output error vector. This approach leads toward the 
design of highly sensitive and reliable FDS, with the possibility of obtaining a 
unique fingerprint for every possible failure (abrupt or soft). The use of the 
secondary observers allows us also to solve the measurement noise problem in a very 
efficient way. Further, in order to keep the observer's (or Kalman filter) false- 
alarm rate (FAR) under a certain specified value, it is necessary to have an accept- 
able matching between the observer (or Kalman filter) models and the system 
parameters. Only properly designed adaptive observers are able to detect abrupt 
changes in the system (actuator, sensor failures, etc.) with adequate reliability and 
FAR. A previously developed adaptive observer algorithm is used here to maintain the 
desired system-observer model matching, despite initial mismatching or system param- 
eter variations. Conditions for convergence for the adaptive process are obtained, 
leading to a simple adaptive law (algorithm) with the possibility of an a priori 
choice of fixed adaptive gains. Simulation results show good tracking performance 
with small observer output errors, while accurate and fast parameter identification, 
in both deterministic and stochastic cases, is obtained. 


I . INTRODUCTION 


The use of the analytical redundancy approach for sensor and actuator failure 
detection in complex, dynamic control systems is by now widely accepted as a feasible 
concept for redundancy management (refs. 1-3). Besides an appreciable saving in cost, 
volume, and weight, the analytical failure-detection systems have to provide at least 
the same high performances as the classical voting systems, which are based on simple 
threshold examinations and on some crude decision logic. In aeronautical designs, 
and in particular for flight-control purposes, values of mission abort probability 
(MAP) of 10“^ to 10”^ per flight hour, associated with typical false-alarm rates (FAR) 
of 10“^ to 10“^, are rather commonly imposed by operational requirements (ref. 1). 

To compete successfully with the triple and quadruple redundant systems based 
exclusively on voting schemes, the analytical-redundant failure-detection systems 
have to exhibit certain basic features. For example: 

^NRC Senior Research Associate. 
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1. Simplicity and fault-tolerant properties in both the software conception 
and the hardware implementation. 

2. High reliability and high probability of failure detection. 

3. Low false-alarm rates, despite external disturbances such as wind gusts, 
abrupt maneuvering (in flight-control systems), instrumentation noise, and, in some 
cases, process noise. 

4. Ability to determine, as precisely and as rapidly as possible, the failure 
source, the extent of the failure, and in some cases, the time of failure. 

5. In addition to abrupt failure detection (mainly for sensor and actuator 
failures), the analytical-redundancy schemes have to handle the problem of soft- 
failures detection, such as the detection of biases or scale factor changes in the 
instrumentation, some degradations in actuator performances, etc. 

Two principal analytical concepts are used in guidance and flight control for 
analytical failure-detection purposes: 

1. Kalman filters (ref. 3-13) where the innovation sequence ^(t) is tested for 
unbiasedness and whiteness (orthogonality condition test). 

2. Linear observers (refs. 3-15) (full- and reduced-order) in which the error 
between the measured output and the reconstructed one, for example, the so-called 
residual errors ^(t), are tested for failure assessment. The gains of those 
observers are determined such that ^(t) will reveal the occurrence of a specific 
failure. 

It is useful at this point to remark that results reported or published so far 
are based on the assumption that the dynamic system has fixed and known parameters. 

Another important problem is that in practical cases the dimension (1 x m) of 
the observer-output error vector ^(t) is lower than the dimension of the observer 
error vector _e(t) , of dimension (1 x n) , where m ^ n. In this case, much of the 
information about failures is contained in those components of ^(t) , which are not 
accessible for measurement. Thus, failure events (hard and soft failures) are not 
easily detected and, certainly, are not detected in a unique way. By analyzing the 
£(t) vector only, one may obtain a failure-detection system (FDS) with a low failure- 
detection sensitivity and a nonunique fingerprint for a specific system failure. 

This crucial problem of designing observers for FDS’s with a unique fingerprint for 
a specific failure has been addressed in the past by various contributors (refs. 5, 

9, and 14). 

In reference 5 an attempt is made, by using a certain transformation of the 
observer output residual vector 6_(t) , to obtain a fingerprint related to a specific 
failure in the system actuators or sensors. This approach does not assure uniqueness 
and leads to a low-sensitivity failure detection with the probability of a high false- 
alarm rate (FAR). Besides, the design procedure is cumbersome, and the algorithm 
includes some difficult numerical procedures. In reference 9, the approach to solving 
the failure-detection problem is similar to that of reference 5, using a somewhat 
different algorithm in order to obtain the transformation matrix and taking into 
account the possibility of stochastic random noise in the output measurement. 

Reference 14 describes a possible approach to the design for instrument failure detec- 
tion only, for uncertain linear systems. But in using this approach, one encounters 
the same difficulties as in the other approaches, because only the limited amount of 
information contained in ^(t) is examined. 
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The approach taken in the work described herein is more comprehensive. It uses 
a secondary observer to reconstruct the vector £(t), from the measured error vector 
t(t), obtained from the primary observer. The purpose of the secondary observer is 
twofold: 


1. To produce the n-dimensional error vector £(t) needed for a correct, unique, 
and high-sensitivity failure assessment. 

2. To reduce the susceptibility of the FDS to measurement noise, by using 
steady-state Kalman (filter) optimal gains. 

By this approach one obtains a sensitivity-enhanced FDS with unique failure- 
fingerprints, and the effect of the measurement noise is reduced. It is appropriate 
here to point out that in order to be of practical value in applications and to 
provide reliable systems, the major problem of failure-detection and analytical 
redundancy theory is to achieve the conflicting objectives of low noise sensitivity, 
low false-alarm rate (considering noise) and high failure-detection sensitivity. 

As stated before, a common assumption used in the references mentioned above, 
is that the dynamic system has constant parameters. Moreover, in some FDS’s one has 
to use decision algorithms, especially for the detection of soft-failures and for the 
assessment of the extent of failures. Most of the decision algorithms — such as 
sequential likelihood ratio test (SLRT) for mean values and functional compatibility 
(refs. 8, 11, 12, and 13); generalized likelihood ratio (GLR) approach (refs. 4 to 7); 
and recursive GLR (refs. 7, 8, 12) — assume also (with the exception of ref. 7) that 
the dynamic system is known and constant. 

As will be shown later in this report, it is absolutely necessary when using 
either observers or Kalman filters, that those devices be "matched" to the dynamic 
system in order to obtain low observer-output errors and, therefore, low false-alarm 
rates. A good matching will also provide adequate properties to the decision algo- 
rithms in order to assess the time, the place, and the extent of the failure without 
errors (see ref. 15). 

At this point it is worth noting that when the plant parameter variations are 
themselves the results of some kind of failures, the adaptive matching of the 
observer to the plant may unintentionally "cover up" those failures. For this reason, 
it is expected that a complete FDS would include also some on-line parameter- 
identification procedure to support the failure-detection algorithm. However, it 
seems possible to relax this need, if the adaptive observers are time-varying and if 
observer parameters are updated deterministically in open loop, by having parameters 
stored as a function of flight condition or by changing the parameters according to 
air data computer outputs. 

A complete parameter-adaptive and tracking observer for linear, multi-input, 
multi-output FDS’s, incorporating primary and secondary observers, is designed, pre- 
sented, and analyzed for convergence and stability in this report. 

A short overview of observers (Kalman filters) for failure-detection purposes is 
presented in section 2 in the interest of completeness. 

The secondary observer concept for the deterministic case is introduced in 
section 3. Different schemes for FDS’s, based on mixed primary and secondary 
observers, are introduced and discussed. 
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The effect of the measurement noise is discussed in section 4, where the design 
of FDS's in a stochastic environment is presented. 

In sections 5 and 6, an algorithm for adaptive and tracking observer design is 
presented, together with the appropriate conditions for convergence and stability. 
Simulation results for a deterministic and stochastic multi-input, multi-output, 
linear, constant, and time-varying system, are presented and discussed in section 7. 
Concluding remarks and some suggestions for further study and research are presented 
in section 8. 

An alternative scheme for implementing observers is given in appendix A; use of 
linear quadratic theory to obtain an asymp to tically-s table-in- the-large solution for 
the FDS adaptive observer is described in appendix B; and the proof for conditions 
necessary for convergence and stability is given in appendix C. 


2. FAILURE-DETECTION SYSTEMS BASED ON OBSERVERS 


As pointed out in the Introduction, various analytical redundant schemes for 
FDS’s are based on the utilization of observers of full or reduced order (refs. 1-5, 
13-15) . Besides the possibility of enhancing the detectability of certain specific 
failures in a unique way, the analytical redundancy FDS*s based on the use of 
observers lead also to important hardware savings (see, for example, fig. 3 in 
ref. 15). In the interest of completeness, this section presents a short discussion 
of some of the basic notions related to the observer theory. First, we shall assume 
the following mathematical model for the linear dynamic system under consideration: 

x(t) = A x(t) + B ^(t) 

= C x(t) 

where 2i(t) Is the (n x 1) state vector, and ^(t) is the (m x 1) measurement vector, 
with m < n. The system is assumed both completely controllable and observable. The 
well-known observer model ("matched" case) (ref. 4) is described by 


2 c(t) = A ^(t) + K[^(t) - C x(t)] + B.u(t) (2) 

where x(*^) the (n x i) estimated (or reconstructed) state vector, 'and K is a 
fixed-gain matrix (n x m) , with constant entries. This model does not take into con- 
sideration various external perturbations and noises that affect the observer output 
and that can cause high FAR's. The observer error, e^(t) (residual), is defined by 

e(t) ^ x(t) - i(t) (3) 

and the observer output error (output residual) is defined as 

i.(t) = j^(t) - j^(t) (4) 

The output residual vector £(t) is the quantity that one has access to and 
therefore it can be used for failure detection and assessment. A block diagram of a 
failure-detection scheme with an observer is presented in figure 1. 
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From equations (1) to (3), the following differential equation is obtained: 

e(t) = (A - KC) e(t) (5) 

One method of choosing the gain matrix K is to place the eigenvalues of the 
matrix (A - KC) so that all of them have negative real parts (refs. 9 and 10). Under 
these conditions, the observer will be stable and, as t ^(t) and £(t) will go 

to zero. Therefore, after a short initial transient, the estimated state x(t) will 
follow x(t) such that x(t) = x(t), “^tett , “] , although the only measurable vector 
is ^(t). 

A second approach for choosing K is to enhance the observer's probability of 
failure detection. After the transient has died out, and if a hard failure of one of 
the actuators or sensors occurs at t = Tf, then a jump in ^(t) will be observed at 
Tf, and the vector ^(t) 0, for all t > Tf (see fig. 2). Indeed, one has to 

remember that by using one (primary) observer, the only access we have for error mea- 
surements and analysis is to the (1 x m) vector .<(t) . The information about fail- 
ures, included in €(t), is only partial, and if the output's vector dimension m is 
much lower than the system's order n, the failure detection may be insensitive, 
nonunique, and have a high FAR. 

To better illustrate the second approach, let us examine the case of an actuator 
failure (ith actuator), and the possibility of enhancing the detection of this event. 
From equations (1) to (3), one obtains the following result: 

e(t) = (A - KC) e + K u^ (6) 


where b. is the ith column of the time-invariant matrix B, and u^ is the ith 
control~of the system. The solution of equation (6) is given by: 


e(t) = exp [(A - KC)(t - T^)] • e(To) 

+ ! /* exp [(A - KC) (t-Tq)] u, (t) dx ! b. 


The first term is negligible (in both the deterministic and the stochastic cases), 
since we assume that the failure occurs at some time Tf during the system's opera- 
tion, after the initial transient has died-out (T^ « Tf) . Let us assume that the 
effects of measurement noise and other perturbations on e^(t) are small. Therefore, 
the term containing the abrupt failure information is the second one. Choosing, for 
C = I (this being a very special and simple case with n = m) 


(A - KC) ^ -I • Y 


( 8 ) 


where I is the (n x n) identity matrix and T is a convenient, arbitrarily chosen 
time-constant (ref. 15), one gets: 
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exp 


(T - Tp 


(9) 


T 

e 




• u^(t) dx 
> Tf 


Therefore, the error vector ^(t) will point in a specific direction in the 
space, for example, in the direction defined by associated with the failure of 

the ith actuator. Since the only access one has to the system is by measuring the 
vector ^(t) , the measured residual will point in the direction of Since, in 

general, the matrix C is an (m x n) matrix, it may very well happen that the vector 
C^i will have only a few components or, perhaps, even none if ^ is the null space 
of C. If, for instance, m = 2 and n = 6, one measures only two components of ^(t) 
and not necessarily the most sensitive ones (see the example and simulation results 
in section 7) . 


By a similar treatment, one is able to show how sensor failures can be detected, 
but in this case £(t) lies in a two-dimensional plane. In such a case, it is 
possible to arrive at a feasible scheme, so that the detection of the failed sensor 
will be simple and unique. As will be shown later, by processing the information 
with a secondary observer in an optimal way, a failure direction may be determined, 
even in the presence of measurement noise. 

The following is an alternative way to look at observers as failure-sensitive 
devices. Suppose we look again at the observer’s equation (2); one can rewrite that 
differential equation in the following form: 


x(t) = Q x(t) + K ^(t) + B _u(t) (10) 

where 

Q = A - KC (11) 

Then it is possible to write the solution of equation (10) as a linear combination of 
three vector functions: 


x(t) = W(t)x(0) + _^(t) + £(t) (12) 

where the functions W(t), ^(t), and jp(t) are the solutions of the following differ- 
ential equations with appropriate initial conditions (see appendix A) : 


W(t) 

= QW(t) 


w(0) = I 

(13a) 

i(t) 

= Ql(t) 

+ Viyit) 

5^(0) = 0 

(13b) 

^(t) 

= Q£(t) 

+ Bu(t) 

£(0) = 0 

(13c) 


The matrix differential equation (13a) determines the transient of the observer 
and, therefore, is of no practical importance for failure detection, since we are 
assuming that the transient is very short and that the failures may occur in the 
system after this transient died out. By looking now at figure 3 it is easy to see 
that sensor failures will affect only the vector ^(t), and that actuator and system 
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failures will affect both vectors Mt) and £(t) . Moreover, figure 3 shows that 
measurement noise is affecting only the vector £(t) ; this fact will be taken into 
consideration later. Implementing an observer in the FDS in the form suggested 
by equations (12) and (13) (as shown in fig. 3), makes it possible to make an 
immediate distinction between sensor and actuator failures simply by examining the 
vectors £(t) and£(t). 

Let us examine again the case in which m = n. In this case it is possible not 
only to locate arbitrarily the eigenvalues of the matrix Q but also to determine 
the entries of Q in any arbitrary way. If one chooses, for instance, Q = I, one 
obtains because of the initial conditions of equations (13) , 


»n(t) - 


w^j(t) = 0 


i = 1,2, . . 
V t 


£(t) = i(t) + 23 k^ y.(t) 
i=i^ 


n 


(lA) 

(15) 


being the ith column of the matrix K. Similarly, one obtains for p_(t) the 
following differential equation: 

n 

£(t) = p_(t) +2^- * U,(t) (16) 

i=l ^ ^ 


where _bj is the jth column of the matrix B. In order to implement the observer 
in this configuration, we need to solve (in this case) only (1 + 2n) first-order 
differential equations, a relatively easy task. The benefit of such an observer 
implementation is obvious: by measuring each of the components of £(t) and £(t) , 

one can assess immediately when and where the failure occurred, as well as the extent 
of the failure. In this manner, for m = n, the fingerprint of every possible fail- 
ure is unique. In some applications it may be worthwhile to use additional sensors 
(if possible) , in order to arrive at the situation where m = n. 

The problem becomes more complicated for the output measurement case when m < n. 
In this case, although we still can place the poles of the Q matrix arbitrarily, 
one cannot, in general, obtain Q = I. Therefore, the number of integrations will 
increase, to n(2 + n). 

For this reason, when m < n, a practical way to solve the FDS problem is to 
introduce the concept of the secondary observer, as explained in the next section. 


3. DESIGN OF FAILURE-DETECTION SYSTEMS WITH PRIMARY AND SECONDARY OBSERVERS 


As explained in section 2, the determination of a failure can be made in a 
reliable and unique way only by examining the (1 n) observer error vector £(t) . 
Since, when m < n, one has access only to the (1 x m) observer output error l(t), 
we are proposing here to implement a novel concept^and to use' a secondary observer 
in order to reconstruct the (1 x n) error vector £(t) . The proposed implementation 
is shown, schematically, in figure A. 
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We propose for the second observer’s differential equation the following 
structure: 

e^(t) = T e(t) + LU - C e] (17) 

where T is a fixed (n x n) matrix (to be determined later) and L is a (n x m) 
gain matrix (arbitrarily chosen, for the time being). 

Let us now define the second observer's error vector 6 (t), as following: 

Mt) = ^(t) - e(t) (18) 

Since the differential equation for ^(t), as given in equation (5), was 

i(t) = (A - KC) e(t) (19) 

one can obtain, from equations (17)-(19), the following result: 

_ 6 (t) = (A - KC - LC) e(t) - (T - LC) e(t) (20) 

By choosing 

T = A - KC (21) 


one gets 


_ 6 (t) - (A - KC - LC) ^(t) (22) 

If the eigenvalues of the (n x n) matrix (A - KC - LC) are adequately located 
in the left half-plane, the solution of equation ( 22 ) will be asymptotically stable 
and will vanish as t goes to infinity: 

lim ^(t) = 0 (23) 

t OO 

The output of the second observer ^(t), which is the reconstructed error vector of 
the first observer, will follow ^(t) after a short, initial transient. 

From equations (17) and (21) one finally obtains the second observer’s differ- 
ential equation: 

i(t) = (A - KC) i(t) + LU(t) - Ci(t)] (24) 

The input of the second observer is the first observer’s output error vector *^(t) . 

To illustrate in a better way how the second observer reconstructs the whole error 
vector of the first observer, the evolution of the time functions e^(t) and e^^(t) 
for i = 1 , 2 , 3, for a third-order system (see details in sec. 7) with two outputs, 
is plotted in figure 5. 

Figure 6 shows in a more detailed form and with different scale factors, the 
evolution of every component of the vector ^(t) versus the corresponding component 
of vector _e(t) . Also, note that the most sensitive component of _e(t) is 03 (t) 
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and that it could not be observed without the second observer. From figures 5 and 6, 
it is easy to see effective tracking and the zeroing of £(t) following ^(t), after 
a short transient. In our case, this transient is of little interest, because our 
aim is to discover the changes in £(t) owing to possible system failures. 

Equations (19) and (24) suggest that the entire system, including the use of the 
error vector of the first observer and the output vector of the second observer as 
state variables, can be represented in the following augmented form (which will be of 
use later on) : 


x(t) 


A - KC 0 

LC A - KC - LC 


• x(t) 


(25) 


X A ^ 

where y = [e, e] . Note that this representation is valid only for the nonfailure 
case and only when the observers are matched to the system dynamics. 

Let us now examine in the sequel the modeling problem of two of the most impor- 
tant kind of failures: sensor failures and actuator failures. 


Modeling Sensor Failures 


Suppose, in this case, that one of the system’s measurement sensors fails 
(completely) at some time Tf and that no more than one failure will occur at the 
same time. Under the condition of sensor failure, the dynamic system equations 
will be 


j ^(t) = A x(t) + B ii(t) 


(26) 


where is the measurement matrix, considering the failure of one of the sensors. 

We will also define a new matrix AC, 


AC 


A 



(27) 


where C is the nominal (no-failure) measurement matrix and AC is an (m x n) 
matrix with all entries zero, besides one specific entry , modeling for the ijth 

sensor failure. Actually, since we are measuring the outputs by using only distinct 
measurements, the matrix AC will have all zero entries, besides one unity entry at 
the ith sensor which failed. Taking into account equation (27), the first observer 
differential equation will be: 


x(t) = A x(t) + K[y_ - Cx] + B u(t) 

= ^(t) + K[C^2L “ B_u(t) (28) 

Making use of equation (3) , one obtains 

e(t) = (A - KC) e(t) + K.AC.x(t) (29) 
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or, in terms of the estimated state x^t) , 

e(t) = (A - KC^) e(t) + K.AC.£(t) (30) 

The first observer output error will be given by 

l(t) = X “ Cx = Ce - AC.x (31) 

The second observer equation (24) will have, for the sensor-failure case, the follow- 
ing form: 

e(t) = (A - KC - LC) e(t) + L.C^ e(t) - L.AC.x(t) (32) 

From equations (27) and (30) one can easily obtain the differential equation for 
the first-observer error vector ^(t) , for t > T£, given that a sensor failure 
occurred at Tf: 

e(t) = (A - KC^) ^(t) + ^.x^(t) (33) 

The vector ^ is the ith column of the fixed gain matrix K, and x^(t) is the 
scalar, ith component of the reconstructed (estimated) state vector _x(t). From 
equation (33), it is also clear that the vector ki.xi(t), referred to below as the 
ith sensor-failure fingerprint vector, is acting as a driving (input) function for 
equation (33). From equations (32) and (33), one can also conclude that after a 
short transient starting at Tf, the vector e^(t) will also be pointing in a fixed 
direction in the space. Following the discussion of actuator-failure modeling, 

we shall return to consider this problem in more detail. 


Modeling Actuator Failures 

In equation (6), we already obtained the differential equation for ^(t) , given 
that the ith actuator failed at Tfi 

je(t) = (A - KC) £(t) + u^(t) (6) 

where the vector ^ is the ith column of the matrix B, and the scalar uf(t) is 
the ith component of the control vector. This equation is, formally, similar to 
equation (33) and, therefore, we can conclude that the modeling of sensor and 
actuator failures, being formally similar, will make possible a unique treatment in 
the sequel. At this point it should be mentioned that using the same approach, one 
could easily obtain similar models for sensor bias errors, scale factor failures, 
etc. 


We shall now discuss in more detail the unified approach of the failure- 
fingerprint problem. From equations (6) and (33) we can note, in a general way, 
that after a failure the vector ^(t) will be the solution of the following type of 
differential equation: 


£(t) = q.£(t) +_3^.f^(t) 


( 34 ) 


with Q = A - KC and where 




and f^(t) = x^(t) for a sensor failure, and 
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where ^ ^ and f£<t) = ui(t) for an actuator failure. From equation (34), it is 

clear that for every possible failure, a certain direction for the vector ^(t) in 
£n land, therefore, for the vector e^(t)] can be chosen, such that every failure 
will now have its own distinct fingerprint. To implement such a failure fingerprint 
one has to fulfill the following condition; 

rank [3., QB., ^B.] = 1 (35) 

—1 —X 

Therefore, it is possible to dedicate a pair of primary and secondary observers for 
every type of failure detection. The matrices K and L make possible both the 
fulfillment of the condition expressed by equation (35) and the arbitrary location 
of the observers' poles. 

This design approach, although demanding an additional computational effort, 
offers a general and practical solution to the failure-detection problem via the^ 
second-observer concept, making use of the entire (reconstructed) error vector £(t) . 
In the sequel we shall call this design method the "failure-dedicated, multiple- 
observer-pairs" approach. 

In some cases, in order to reduce the computational effort whenever needed, one 
can use a single pair of primary and secondary observers for the failure-detection 
system. In such a case we cannot allocate a priori, for e^(t) and £(t), a desired 
direction in associated with a specific failure. Instead, the vector £(t) will 

provide a definite and unique fingerprint associated with every failure, although 
this time, unspecified in advance. Nonetheless, by simulating the various possible 
failures, one can obtain, in advance, the various failure fingerprints and thereby 
easily determine from £(t) when the failure occurred and what failed in the system. 
The simulation results discussed in section 7 show some of the fingerprints obtained 
in those cases for various sensor and actuator failures. 

An Intermediate way to solve the FDS problem is to use a limited number of 
dedicated pairs of primary and secondary observers, optimized for some important 
systems failures to be determined in a unique manner, and still maintaining the 
possibility of determining the occurrence of various failures by examining the 
fingerprint of e^(t). 


4. FDS WITH PRIMARY AND SECONDARY OBSERVERS IN A STOCHASTIC ENVIRONMENT 

One of the important questions that must be asked when analyzing and designing 
FDS's based oh observers is the following: What is the extent of the effect of 

measurement noise on the FDS false-alarm rate? This question was addressed by others 
(e.g., in refs. 5, 9, 14, and 15), but the problem was never solved in a satisfactory 
manner. With the use of a single observer, it is possible to reduce the Influence of 
the measurement noise by choosing the gain matrix K such that the observer will be 
less susceptible to noise. But this can be done only at the expense of the observer's 
sensitivity with respect to the failure-detection task, such that from the overall 
FAR point of view the benefits of this approach are very questionable. The use of 
primary and secondary observer pairs allows the noise-reduction problem to be solved 
without sacrificing the sensitivity of the FDS. The solution to the measurement- 
noise question is as follows. First, one chooses the gain matrix K of the first 
observer such that the desired fingerprint with respect to some specific failure is 
obtained, the direction of ^(t) in lEn being specified. Then, by choosing the 
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gain matrix L of the second observer as the optimal steady-state (Kalman) filter 
gain, one obtains the smoothed vector £(t). 

IThen measurement noise is present, the system dynamics is given by 


x(t) = A “*■ ^ 

2 i(t) = C x(t) + n(t) 


(36) 


It is easy to show that the first-observer error differential equation will be 


e(t) = (A - KC) e(t) - K n(t) 


(37) 


and that the second-observer's output ^(t) will satisfy the following differential 
equation: 


e(t) = (A - KC - LC) e(t) + L 6(t) 


(38) 


The primary and secondary observer pair is described by the augmented system 
dynamics [eq, (39)]: 


A - KC 


0 


Y(t) = 


Y(t) - K' n 


(39) 


LC 


A - KC - LC 


where Y"^(t) = [e^(t), e^(t)] and the (2n x m) matrix K' 


is defined as 


K' 



(40) 


Note the formal similarity between equations (37) and (39), which helps to explain 
the procedure described above. 


As explained before, the suitable choice of the gain matrices K and L in 
equation (39) allows one to design an FDS that is both sensitive in terms of event 
(failure) detection and minimally susceptible to measurement noise. 


5. ADAPTIVE, PARAMETER TRACKING, PRIMARY AND SECONDARY OBSERVERS 
FOR A FAILURE-DETECTION SYSTEM 


In sections 2-4 we tacitly assumed that the parameters of the dynamical system 
are constant and known and that the primary and the secondary observers are "matched” 
to the dynamic (real) system. Unfortunately, in practical applications the system 
parameters are not exactly known and may even vary with time. Such is the case, in 
flight-control and guidance systems. This problem was solved, and presented for an 
FDS that included a single observer, in reference 15. The same reference also 
includes a short review of the state of the art of adaptive observers, reviewing in 
particular references 16-24. In reference 25, a method of analysis is presented and 
an attempt is made to develop a unified method for analysis of adaptive processes. 
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In this section, an analysis is carried out to show the influence of non- 
matching conditions on the FAR of failure-detection systems. This condition occurs 
when the observer (or KF parameters) does not match or track the dynamic system 
parameters, which are time-varying. As stated above, this is crucial in aero- 
nautical engineering applications of FDS and analytical redundancy concepts, where 
plant parameter variations are caused by dynamic pressure variations in different 
flight conditions. The effects on the FAR of mismatching the actual plant and the 
analytic observer (or FK) , including primary and secondary observers, will be dis- 
cussed subsequently. 

First, the mismatched primary observer case will be treated, and we shall 
assume that the analytical implementation of the primary observer is according to 
the following observer model; 

x(t) = (A + AA) x(t) + K[^(t) - C x(t)] + (B + AB) u(t) (41) 

Accordingly, the primary observer residual error will be the solution of the follow- 
ing linear differential equation: 


e(t) = (A - KC) e(t) - AA.x(t) - AB.u(t) (42) 

where AA and AB represent the difference between the parameters of the real plant 
and those of the primary observer. It is easy to see that the last two terms in 
equation (42) will cause a high residual £(t), even after the initial transient has 
died out. The large value of e(t) is directly responsible for an unacceptably high 
FAR. Acceptable values of FAR will be obtained only for observers that are matched 
to the plant dynamics. In order to see the effects of AA and AB on ^(t) and e(t) , 
the effect of three parameter changes in the plant dynamics on £(t) is shown in 
figure 7. From figure 7 it is clear that the errors are very large, leading to a 
prohibitive FAR. (For more details see the simulation results in sec. 7.) Using 
design methods based on the "robust observer" approach will not be of much use, 
because that approach will lead to observers that are insensitive to failures. 
Therefore, it is easy to see the need for adaptive observers that can track the plant 
parameter variations in FDS applications. 

The same "mismatching" problem can also cause serious problems in the FDS, 
including the Kalman filters used to reduce measurement noise influence on the FAR. 

In this case, a notable change in the basic characteristics of the innovation 
sequence will be caused by mismatching conditions. Let us define the dynamic system 
(plant) equation by 

x(t) = i^(t) + Bu(t) + r.w(t) (43) 


where w(t) is the (q x 1) noise input vector, assumed to be white and Gaussian. 

The measurement vector y^(t) , (n x i) , is contaminated by white noise ii(t) , with 
E[n] =0 and E[^(t)n^(s)] = Qi6(t - s): 

^(t) = C . x(t) + n(t) (44) 


Assume, for simplification, only plant-parameter variations causing the follow- 
ing mismatching conditions: 


~ A 

A = A + AA 
K = K + AK 


(45) 
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where A and K are the matrices used in the Kalman filter implementation. The 
equation of the Kalman filter is given by 

x(t) = A.x(t) + S^[y;(t) - C x(t)] (46) 

Define ^(t) as the best estimate for the ideal matching conditions and A 2 c(t) as the 
change in the estimate owing to mismatching: 

x(t) = 

Denote also ^(t) as the innovation vector for the mismatched system and ^(t) as 
the innovation of the ideal-matched KF-system. Based on linearity property, one can 
write 


v(t) = v(t) + Av(t) (48) 

From equations (44), (47), and (48) one obtains 

v(t) = v(t) - C.Ax(t) (49) 

where A 2 c(t) is the solution of the following differential equation: 

Ax(t) = (A - KC) Ax(t) + AK.^(t) + AA.x(t) (50) 

It is clear from equations (49) and (50), and also shown explicitly in figure 8, that 
the stochastic process which is the actual innovation vector, will be a 

colored noise process, with E[^(t)] ^ 0. Therefore, no adequate test can be made 
on ^(t) in order to detect a failure in a reliable way, for example, with a very 
low, admissible FAR. 

In conclusion, to obtain an adequate FAR in a failure-detection system, it is 
absolutely necessary to have good matching between the observer’s (or KF) model 
parameters and the parameters of the dynamic, real plant. In what follows in this 
section we introduce an algorithm for an adaptive pair, primary-secondary observer 
design, the adaptation law providing also for parameter identification and tracking. 

The approach presented here is basically similar to the method presented in 
reference 15 and is based on a simple, yet effective, adaptive law (algorithm) for 
linear, possibly time-varying, multi-input, multi-output systems. The adaptive law 
makes use of a-priori-determined adaptive gains and does not require solution of 
additional differential equations. Therefore, the computational effort required is 
suitable for the practical needs and objectives of real-time, on-line, simple 
adaptive observers for failure-detection systems. 

As shown previously in equations (41) and (42) , the model of the mismatched 
primary observer leads to an augmented observer output residual 5_(t) , which is 
given by C £(t) , where ^(t) will be the solution of the differential equation 

^(t) = (A - KC) ^(t) - AA.x(t) - AB.u(t) (51) 

To compensate for AA and AB, in both the primary and the secondary observers, it is 
proposed here to change the entries of the observer matrices A^ and B^ according 
to the following adaptation laws (algorithm) : 
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AA = M e(t).x'^(t) (52a) 

o — — 

AB = N e(t).ii''^(t) (52b) 

0 ~ — 

or, in the discrete case, according to 

AA (k) = M e(k) .x"^(k) (53a) 

o — — 

AB (k) = N e(k).u^(k) (53b) 

0 — — 


with k = 1,2, .. . 

The algorithm (52) is based on measurable values, such as the observer output 
(the estimated state) x(t) , the plant (and the observer) input u(t) , and £(t) , the 
second observer output vector. The matrices M(n x n) and N(n x n) are to be chosen 
in such a way that convergence and good tracking are provided. As shown in the next 
two sections, the adaptive algorithm introduced here makes possible to 


(1) maintain a low value of the first observer output residual error, in spite 
of plant parameter variations; 

(2) quickly adapt both primary and secondary observer parameters to those of 
the dynamic plant; and 

(3) to track the varying dynamic plant parameters by the primary-secondary 
adaptive observer parameters. 


In figure 9, a block diagram of the primary-secondary adaptive observer is 
presented; it points out the simplicity of the adaptive law and the fact that this 
algorithm only makes use of accessible measurable functions. 


Although one has to show that the algorithm proposed in equations (52) provides 
for stability and convergence for the entire primary-secondary observer, it is 
worthwhile to do, at the beginning, a simple and approximate analysis for the first 
observer only, assuming that the matrix Aq of the second observer is also ade- 
quately tracking the real dynamic system A matrix. 

Substituting equation (52) into equation (51) , one gets 


e(t) = (A - KC) e(t) 
^ (A - KC) e(t) 


||x|| ^ M £(t) 
11x11 ^ M e(t) 


Hull 2 N £(t) 
Hu IP N ^(t) 


Equation (54) can be put in the more compact form: 


(54) 


e(t) = [(A - KC) - l|x|p M - llujp N] e(t) 


(55) 


To obtain an asymptotically-stable-in-the-large (ASIL) solution for the time- 
varying, nonlinear, differential equation, several approaches can be taken. The 
first is a heuristic one; although the matrix included in the square bracket is time- 
varying because of the time-dependent positive scalars Hiill^ IliilP> it is con- 

jectured here that by an appropriate choice of M and N, based on a priori knowledge 
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of the adaptive algorithm [eq. (52)] can be made asymptotically 

convergent. Loosely speaking, the M and N matrices allow us to locate the eigen- 
values of this square matrix so that all of them will have negative real values, 
providing us with the result: _e(t) 0 as t A second way to obtain an ASIL 

solution for equation (55) is to make use of a version of Perron's theorem (refs. 24, 

27, and 28) and to determine, accordingly, the entries of the gain matrices M and N. 

A more appropriate way to obtain a convergent adaptive law is to determine the gain 

matrices M and N by making use of Lyapunov's second method (refs. 15 and 29) and 
this approach will be presented in the next section. A fourth method to show that 
the algorithm (52) leads to an ASIL solution for the FDS adaptive observer, provided 
the parameter changes are small, is to use the linear quadratic regulator theory 
results. This new and interesting approach is presented in appendix B. 

Given parameter changes in the real, dynamic system, one can now write the 
exact primary-secondary observers equations, based on equations (24) and (51), as 
follows : 


y(t) = Qx(t) + 


(56) 


where y*^(t) = [e(t), e(t)]^ 




A - KC 


LC A - KC - LC 


H i-f-] 


SS I’ 


= [-M 


(57) 


(58a) 


(58b) 


The adaptive algorithm (52) can also be presented in the following alternative 


form: 


AA = H y(t) X (t) 
0 — — 


AB^ = N y(t) _u (t) 


where 


M 


A 

r- ° 

1 

j_ 

M "1 


L 0 

1 

1 

0 J 


r ° 

I 

1 

N -1 

A 1 

L 0 

T 

1 

0 J 


(59a) 

(59b) 

(60a) 

(60b) 


From equation (56) one obtains 

X(t) = Q.y(t) + M 11x11^ N ||u||^ 

= [Q + M llxll^ + N |ju||^].X(t) 


( 61 ) 
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By taking into account equations (59) and (60) and by substituting them into 
equation (61) , one gets 


i(t) 


A - KC X K M + u K N 


LC 


A -- KC - LC 


Y(t) 


( 62 ) 


Equation (62) shows that the correct adaptive algorithm for the first observer 
is indeed the algorithm given in equation (52) , provided that we prove convergency 
and stability; on the other hand, one has to adapt the A matrix in the second 
observer simultaneously with the first-observer adaptation. Therefore, in the next 
section a proof of stability and convergency for the system described by equation (62) 
will be presented. 


If measurement noise is to be taken into account, the gain matrices K and the 
adaptive gain matrices M and N will have to meet some requirements in addition to 
those imposed by the appropriate convergency conditions. In this case, a trade-off 
is to be made in the choice of M and N, between fast parameter-tracking require- 
ments and minimal noise susceptibility. Finally, the gain matrices M and N and, in 
particular, the gain matrix K, have to be chosen such that the observer sensitivity 
in terms of failure detection will be maximal. 


To summarize, besides the necessary convergency conditions, the gains K, L, M, 
and N are to be judiciously determined by taking into account such considerations 
as (1) the minimum parameter alignment time (rate of convergence), (2) fast-tracking 
capabilities, (3) minimum noise susceptibility for minimal FAR, and (4) maximum 
sensitivity for high-probability failures detections. 


6. CONDITIONS FOR CONVERGENCE AND STABILITY 


In the previous section, a procedure for choosing M and N matrices based on a 
heuristic approach was discussed briefly. Here, a procedure for determining the 
matrices M and N, based on Lyapunov's theorem for asymptotic stability, will be 
developed. It will be shown that for a system described by a differential equation 
such as equation (62) and that has a general form, such as that of equation (63), 


Y(t) = W(x,t).y(t) 


(63) 


where 


W(Y,t) = 


Pa - Kc 


LC 


llilPM+ I|u||2n 

A - KC - LC 


(64) 


the solution is uniformly asymptotically stable in the large, about the zero solu- 
tion ^ 0, which is the equilibrium point, if the entries of the matrix W(y,t) 

satisfy certain requirements, provided by some inequality conditions. 


Let us consider the following positive-definite scalar quadratic function V(^) 
as a candidate for a Lyapunov function: 
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( 65 ) 


V(y) = /qi 

with Q being an arbitrary, constant, diagonal, positive-definite matrix, such that 


( = 0 if X 

V(x) 

( > 0 -v-x ^ 0 

In addition, equation (65) provides us with 

lira V(x) = “ 


0 

■V" t 


( 66 ) 


(67) 


To obtain ASIL conditions for the system in equation (63), ^in addition to the 
conditions in equations (66) and (64), it is necessary that V = dV/dt meet the 
following condition: 


V(x) < 0 , v-t , v-x 5^ 0 (68) 

We will now proceed to obtain the necessary conditions to be fulfilled by 
W(x» t) in order to satisfy conditions in equations (66) to (68). If those conditions 
are satisfied, then V(x) from equation (65) will be an adequate Lyapunov function 
for the system in equation (63), and the ASIL property will be obtained. 

From equations (63) and (65), we get the following expression for V: 

V = x^ tQW(x.t) + w'^^(x,t) Q] X (69) 

A T 

To satisfy the condition in equation (68), the matrix P = [QW + W Q] has to be 
negative-definite (ref. 29). The symmetric matrix P is a function of the gains 
{K, L, M, N} and depends also on the matrix Q and the functions u(t) and y(t) . 

We shall proceed further to seek the necessary conditions for the elements p^^j of 
P such that V < 0. By expanding the quadratic form given in equation (69) 
the following expression for V is found. 


1=1 J=1 
(i?^j) 


Y? + (q . . w. . + q . . w, .) Y . Y . + q . . w, . Y .1 


11 IJ 


JJ Jl 


JJ 11 1 


(70) 


where q.^ and w^^ are the elements of the matrices Q and W, respectively, and we 
take i f j in the cross-terms of the expression (70). 

In order to obtain appropriate conditions for convergence and ASIL stability 
of the adaptation algorithm from equation (52) , it is necessary that the conditions 
established in the following theorem hold. 


Theorem: In order for the time-varying system described by equations (63) and 

(64) to have an ASIL solution (asymptotically stable in the large), about the 
singular stable point x “ the following conditions must be satisfied: 
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V > 0 

> 

Vt 

, -V-Y ^ 0 

(71a) 


- D 

< 0 

X — 1,2,..., n 

(71b) 

"JJ - 

- D 

< 0 

j “ 

(71c) 

hii ”u "jj 

w. . 

JJ 

> 

. . w. , + q, . w. ,) 
2 

(71d) 


j = 1,2,..*, n (1 ^ 2 in the cross-term) 

If the conditions of the theorem are satisfied, it is guaranteed that the time 
derivative of the Lyapunov function will be negative-definite everywhere in the 
2n-dimensional vector space spanned by that is, 

V < 0 , Vt , ^ 0 (72) 

the function V(y_) being, therefore, an admissible Lyapunov function for the system 
in equation (63) . 

The conditions established in equation (71) are not difficult to meet, since 
the values of D, qij> and those of the gains m^j and nij (contained in w^j) can 
be arbitrarily chosen. The proof of the theorem is given in appendix C, where it is 
also shown that if the conditions given in equations (71b), (71c), and (71d) are 
satisfied, the value of the function V will be 

n n 

V < - D X) E (y? + Y?) < 0 (73) 

i=l j=l ^ 

From equation (73), it is easy to see that by an appropriate choice of the matrix Q 
and of the constant D, it is possible to modify and accelerate the convergence rate 
of the adaptation process. But as pointed out before, a trade is to be made between 
high convergence rate and susceptibility to possible existing measurement noise. 

It should be noted that conditions similar to those in equation (71) can be 
obtained by applying Sylvester’s theorem for negative definiteness directly to the 
system matrix P. This alternative approach is not explicitly shown in this paper, 
since the establishment of the ASIL conditions following this approach is associated 
with a lengthy and tedious algebraic manipulation. Also, as we already mentioned 
above, we obtained similar conditions by applying linear quadratic regulator theory, 
as explained in appendix B. 


7. SIMULATION RESULTS 


To illustrate the utilization of the proposed approach for FDS’s — namely, 

(1) the use of primary and secondary observers for failure detection and (2) the use 
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of the adaptive observer algorithm introduced in this paper — the results obtained 
for a linear third-order system with two outputs are shown later. The nominal 
system equations are 


XI = + X2 


Xo = X - C X] 
3 n ^ 


Xq = b U 

^ n 


with a >0,b >0,C >0 and with two output measurements 

n n n 



The input u(t) was the sum of sinusoids 

u(t) = sin TTt + cos t 

In this case u(t) was of a persistently exciting type. 

The discretization time chosen was AT = 0.05 sec (a fairly high value). The 
simulation results are divided into three groups: 

1. In the first group of results (figs. 10-12), the fingerprints obtained for 
various sensor and actuator failures are shown. The various components of the 
vector ^(t) are also shown with appropriate scale factors. 

2. In the second group of results (figs. 13-16), the adaptation process of the 
primary and secondary observer’s pair toward the nominal, constant, plant param- 
eters is shown, with and without measurement noise. Also, the three components of 
the _e(t) vector used for failure detection and assessment, are shown. 

3. In the third group of results (figs. 17-19), the adaptation of the primary 
and secondary observer pair toward the nominal, time-varying, plant parameters is 
shown, with and without measurement noise. Also, the three components of the ^(t) 
vector are drawn. In all three groups, the gain K of the first observer was chosen 
on the basis of a desired fingerprint with respect to a failure, and the gain L of 
the second observer had to minimize the effect of the measurement noise on ^(t). 

In figure 10, the second observer output, for example, the components of the 
vector J.(t), owing to an abrupt failure of sensor No. 2 at Tf = 3 sec, is shown. 

The first observer gain matrix K was chosen according to the condition established 
in equation (35) such that the vector ^(t) will point in a predetermined and fixed 
direction in for a failure in sensor No. 2. 

The first-observer eigenvalues, under those conditions, were si = -16 and 
S 2 3 = “8 ± j8. The optimal gain of the second observer was determined as 
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After an initial, short transient of the observers, and under conditions of no- 
failure, the three components of ^(t) became very small (an order of magnitude of 
10“®). As a result of the failure of sensor No. 2 at = 3 sec, one could observe 
a short and high transient in all three components of £(t), in particular in 63 (t), 
such that a well-defined alarm signal is provided instantly, pointing out that a 
failure occurred. The direction of e^(t) , with its definite fingerprint, determines 
that the failure that occurred was in sensor No. 2 Note the difference in scale 
factors between the plot of 63 (t) and that of hjCt) and 62 (t). 

In figure 11, the effect of the failure of sensor No. 1 on £(t) is shown. 

Here also the most sensitive component of e^(t) was e 3 (t) (note the different scale 
factors) . The fingerprint of this failure is distinct and different from the finger- 
print of the previous failure. 

A 

Figure 12 shows the effect of an actuator failure on ^(t) and the specific 
fingerprint obtained in this case. It is noted that the sensitivity of the FDS with 
respect to the actuator failure is quite low, because criterion (35) was implemented 
in our example only with respect to a failure of sensor No. 2. 

In figure 13, the simultaneous adaptation process of three primary-secondary 
observer parameters, a^, bg, and Cg, is shown. These three parameters converge, 
respectively, toward the nominal system parameter values: a = 1.0, b^ = 1-5, and 

Cj^ = 3.0. The starting values of the observers parameters were ag(o) = 1.5, bg(o) 

= 2.0, and Cg(o) = 2.5. Together with the initial parameter mismatching, the follow- 
ing mismatching conditions in the initial conditions values were also used: 

xi (o) = 1.0 X 2 (o) = 0.0 

X2(o) = 0.0 X2(o) = 1.0 

X3(o) = 0.0 X3(o) = 1.0 

After 6 sec (120 steps) , the norm of the parameter error vector dropped to less than 
5%. The norm of the second-observer output error vector dropped to less than 10“^ 
after 5 sec. The normalized values of m^j and nij were unity, except the values 
of m 3 j and njj ( 33 = 1, 2, 3), which were taken as 0.1 In figure 14, the various 
components of *^^(t) are shown, and it is easy to see that after the adaptation phase, 
^(t) becomes very small again, being valid for failure detection. 

In figure 15, the simultaneous adaptation process of three primary-secondary 
observer parameters, ag, bg, and Cg, while the first output measurement is contami- 
nated with white noise, is shown. The noise-to-slgnal ratio was chosen to be 
intentionally high — about 5% relative to the maximum value of xj . The adaptation 
process has essentially the same profile as before, for the same values of mismatch- 
ing in the states and in the parameters. The identification accuracy, although 
slightly reduced in this case because of the high measurement noise, is still remark- 
ably good. As shown in figure 16, the components of £(t) , although noisy, are still 
very low, giving valid information sources for failure alarm and assessment. 
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The effects of parameter changes in the nominal plant on 
adaptive observers adaptation process is shown in figure 17. 
parameters were widely varied, as shown in the following: 
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While in steady state, the accuracy of the parameter identification was of the 
order of 95%. The second-observer output, while in the simultaneous tracking phase 
of a^, bo, and Cq, following a^(t), t)^(t) and c^(t), was less than unity. 

The effects of the output measurement noise of sensor No. 1 on the adaptation 
process and on the parameter-identification accuracy are shown in figure 18. The 
adaptation process was only slightly modified by the measurement noise, the noise-to- 
signal ratio being deliberately chosen to be high — about 5%. The identification 
accuracy was also only slightly reduced, and in the steady-state phase the three 
parameters could be identified with high accuracy, as shown in figure 18. As shown 
in figures 18 and 19, the effect of the measurement noise on the adaptation process 
and on parameter-identification and failure-detection capabilities was rather minor, 
mostly because the gains of the second observer were optimal gains. 


8. COMMENTS AND CONCLUSIONS 


The problem of designing analytical failure-detection systems, using pairs of 
primary and secondary, observers for linear, constant, and, possibly, time-varying, 
multi-input, multi-output systems, with measurement noise, was described. The use 
of a secondary observer permits the reconstruction of the entire error vector ^(t), 
which is the major source of information for failure assessment. The _e(t) vector 
has a unique fingerprint associated with certain classes of failures. Moreover, by 
applying criterion (35) the specific fingerprint can be determined a priori, by 
choosing the K matrix, thereby enhancing the failure-detection sensitivity and 
detectability. 

It was also shown that in order to use primary-secondary observers (or Kalman 
filters or both) for the purpose of detecting the failures in linear systems, it is 
necessary to adapt the observers (or the Kalman filter) to the parameters of the 
dynamic system. If this is not done, prohibitive false-alarm rates will result. 
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An on-line algorithm for tracking-adaptive primary and secondary observers for 
multi-input, multi-output linear systems was introduced, and conditions for con- 
vergence and asymptotic stability were developed. Those conditions are established 
a priori, such that the use of the algorithm is simple and effective. In the 
example shown, in both deterministic and stochastic cases, the adaptive law exhibited 
satisfactory accuracy and tracking capabilities by maintaining a low observer output 
error and, simultaneously, by identifying the system parameters in an accurate manner. 

The effect of the output measurement noise was minor because of the use of the 
optimal gain matrix L in the second observer. 

Although the results obtained here are encouraging for the detection of sudden 
or abrupt actuator and sensor failures, the detection of soft failures remains an 
important topic for further research. In particular, it is essential to minimize the 
failure-detection time and to do so with a minimal false-alarm rate. To resolve this 
problem, one has to implement, in addition to the primary-secondary observers, an 
algorithm based on statistical decision theory such as the generalized likelihood 
ratio (GLR) or, eventually, the sequential-likelihood-ratio-test (SLRT) approach (see 
refs. 2 and 9). 

Another topic for additional research is the development of a synthesis tech- 
nique for the optimal choice of the matrices L, M, and N in order to maintain low 
false-alarm rates associated with high failure-detection sensitivity in stochastic 
environments such as those that exist in turbulence or when maneuvering. 

Another topic for further research is the reorganization of the adaptive 
observer (or KF) and of the whole FDS after a major failure has occurred. This must 
be done, no matter what approach and algorithm are used in the analytical failure- 
detection system. 
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APPENDIX A 


ALTERNATIVE IMPLEMENTATION OF OBSERVERS 


Given the observer differential equation (10), 

x(t) = Q.x(t) + K ^(t) + B _u(t) (Al) 

we are looking for a solution for x(t) having the following form: 

x(t) = W(t).x(0) + £(t) (A2) 

where the observer’s output is the sum of three different time functions.^ Taking now 
the derivative of 2 l(t) from equation (A2) , one obtains 

x(t) = W(t).x(0) + ^(t) + £(t) (A3) 

By substituting equation (A2) into (Al) , one obtains 


x(t) = QW(t) x(0) + QMt) + QP(t) + Kx(t) + Bu(t) (A4) 

By comparing terms between equations (A3) and (A4) , one finally gets the follow- 
ing differential equations satisfying W(t), ^(t) , and ^(t) in equation (A2) , with 
the appropriate initial conditions: 


W(t) 

= QW(t) 


M 

II 

O 

(A5) 

i(t) 

= Qi(t) 

+ Ky(t) 

o 

11 

✓—V 

o 

(A6) 

i(t) 

= Q£.(t) 

+ Bu(t) 

o 

II 

o 

(A7) 


Since the term W(t).x(0) represents the effect of the initial transient, the 
failure-event information is contained in the second and the third terms only. In 
particular, sensor failures affect only the function ^(t), whereas actuator failures 
are affecting both ^(t) and P_(t) . Therefore, the observer form in equation (A2) 
will provide the information necessary for failure detection and assessment, instead 
of the error-vector examination approach, usually used in this context. 

Eventually, the output observer form equation (A2) may be useful for the system 
matrix A identification purposes. 
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APPENDIX B 


ADAPTIVE OBSERVER ALGORITHM VIA LINEAR QUADRATIC REGULATOR THEORY 


In this appendix we demonstrate, by invoking well-known results from linear 
quadratic regulator theory (LQR) that the adaptive observer algorithm suggested in 
equation (52) will indeed insure convergence and ASIL conditions for the primary- 
secondary observer pair. In what follows, without any loss of generality, the 
existence of ASIL conditions will be demonstrated for a single adaptive observer. 

From equation (51), if the system matrices A and B were slightly changed, 
one has 


e(t) = (A - KC) e(t) - AA • x(t) - AB • u(t) 
— — 0 0 — 


(Bl) 


Let us write equation (Bl) in the following more general form: 

£ = A e^ + £(t) 


where 


A = A - KC 


q(t) = -AA • x(t) - AB * 0 ( 1 ) 


(B2) 

(B3) 

(B4) 


Now, one can ask for the optimal control law 3*(t), such that the following func- 
tional 


/ 


■j/' 


[e^ P £ + R q] dt 


(B5) 


will be minimized. The meaning of the minimization process is obvious: one tries 

to minimize and zeroing the error e(t), while the adaptation process is carried out 
with a finite, optimal control q*(t). 

From linear optimal control theory, the following necessary conditions for 
optimality are obtained: 

cL*(t) = -R-l S(t) e(t) (B6) 

where the matrix S(t) is the solution of the well-known nonlinear Riccati equation. 
From equations (B4) and B6) one has 


-R“^S(t)^(t) = -AA^(t)x(t) -AB^(t)u(t) (B7) 

The question now is under what conditions does equation (B7) hold. Or, in other 
words, what does the formal structure of AA (t) and AB^(t) have to be in order to 
satisfy equation (B7)? A simple inspection of the terms of equation (B7) reveals 
that it is sufficient to choose the algorithm. 
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(B8a) 


AA^(t) = MCe.x^ 

AB^(t) = NC^.u^ (B8b) 

in order to satisfy, at least formally, equation (B7) . 

Making use of equation (B8) in (B7) and after eliminating ^(t) , one obtains 

R-^ S(t) = MC ||x||2 + NC Hull 2 (B9) 

Since the matrices R, C, and S are known, the values of the entries of the 
M and N matrices can be chosen (at least in principle) so that equation (B9) holds. 
We are not suggesting that M and N be chosen by using this procedure, because the 
purpose of this appendix is only to show that the adaptive algorithm introduced in 
equation (52) satisfies also, in some sense, an optimality criterion and therefore 
provides adequate stability conditions established on LQR theory grounds. 
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APPENDIX C 


PROOF OF STABILITY THEOREM 


In this appendix, a proof of the theorem stated in section 6, where the condi- 
tions in equation (74) for ASIL are established, is given. 

From equation (70), the following expression for V is obtained: 


n 


V 


- E E ti, 

i-i j=i 
(ijiJ) 




<0il ”lj 




+ q . . w. . Y?] 

23 JJ J 


(Cl) 


where and wij are the elements of the matrices Q and W, respectively, and 

i j is'^to be taken in the cross- terms of (Cl). 

For V to be negative-definite, at a first glance it seems to be a good choice 
to take 


q . . w. . < - D < 0 
^11 11 


q . . w. . 

jj 11 


< - D < 0 


(C2) 


and to try to get the rest of the right-hand side of equation (Cl) to form a square. 
The constant D in equation (C2) is an arbitrary, positive constant. We shall 
examine, in the sequel, three different cases. 


Case I; We can choose to satisfy the following conditions: 




JJ J-L 


together with 


for 


q. . w, , 

^11 li 


= -D < 0 


q . . w . . = -D < 0 
11 11 


(C3a) 


(C3b) 


1 1,2,..., n 

j = l,2,...,n(l?^j in the cross- terms) 
■vx(t) and -V-t 
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In this case, equation (Cl) becomes 


n n 

= E E(-DY? + 2Dy^Y. - Dy2) 

i=l i=l 

an) 

= -D E (y. - Y < 0 
i=i j=l ^ 


(C4) 


Since Vj is in this case a negative, semi-definite function (Vj < 0), the Lyapunov 
stability conditions for ASIL are not met and, therefore, conditions in equation (C3) 
are not satisfactory. Despite this fact, it is indicated that the conditions in 
equation (C3) be used as an initial, starting condition, in order to obtain a better 
feeling for the choice of the gains mij and j . 


Case II : Here, one may choose the conditions 


or 


V q.. q..w..w,. > ^(q..q.. + q..w. .) 

^11 11 23 2 ^11 ^23 


(C5a) 


V q..q..w..w.. = “(q..w.. +q..w.J + 0^ 

^11 11 jj 2 ^11 ij ji^ 


(C5b) 


for 


i = 1,2,..., n 

j = 1,2,..., n (i j in the cross-terras) 
and t 

together with the conditions in equation (C3b) , whereas 0 is an arbitrary constant. 
Substituting, in equation (Cl), one gets 

n n 

^TT = E - 2(02 - D)y. Y. - Dy^] (C6) 

i=l j=l 1 J 3 

(i^j) 

If the following choice is made, 

02 = D (C7) 


SO that the following equality holds, 


q..w, . + q,.w.. = 0 
11 ij ji 


one obtains for Vjj the following expression: 


(C8) 
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V. 


II 


n 

= -D E 
i=i 


j=i 




< 0 


(C9) 


This time, Vxi is an absolute, negative-definite function and, therefore, the con- 
ditions in equations (C3b) and (C8) will ensure asymptotic stability in the large. 


Case III : In this case, we obtain a set of conditions for ASIL that are easier 
to fulfill, and, at the same time, we can fix an a priori, upper bound for V, 
increasing the convergence rate of the adaptive algorithm (up to a certain limit, 
because of the stochastic measurement noise susceptibility problem) . Let us choose 


‘lii^ii ^ -D < 0 


q . . w . , < -D < 0 
23 JJ 


Instead of equation (CIO) , one writes 


■'ll ”ii - - “1 


(CIO) 


q . . w. . = -D - D 2 (Cll) 

JJ JJ 

X 1,2,..., n , j — 1,2,..., n 

where D>0, Di>0, D2>0 are arbitrarily chosen constants. Making use of 
equation (Cll) , one obtains 


or 


n n 


E|-(D + Di)y? + (q..w.. +q..w..)Y.YT 
III "L XX xj jx 'x 'J 

i=l 1-1 JJ j 

(i^j) 

- (D + D 2 ) Yj] 


(C12) 


n n 


III 


i-i j-i' J' 


n n 


-E Ejoi i + d 2 y2] 




(C13) 


Choosing the condition 


(q . . w. . + q . . w. .) 


(C14) 
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one obtains for Vjjj;, the following value: 


^II = -» t t ('ll + vp 

1=1 J=1 


(C15) 


n n p 

"L E Y. - *^D2 Y J 

i=l j=i‘- ^ 


By comparing equation (C15) with equation (C9) , we can easily see that 

n n 
V 




(C16a) 


and, therefore. 


III < Vjj < 0 


(C16b) 


for -v-Y.(t) and V;t. 

From equation (All) one has 


'^^i± "jj “ *^(0 + D 2 ) (D + D 2 ) > v'Di T>2 

and, therefore, from equation (CIA), 


(C17) 


/q . . w. . q . . w . , > 
11 11 13 11 


(q . . w, . + q . . w, ,) 

^^11 i1 ^11 


(C18) 


for i = 1,2,..., n; j = 1,2,..., n (i j). Summing up, the conditions for ASIL, 
formerly established, can be enunciated by the following theorem. 


Theorem ; For the time-varying system described by equations (63) and (6A) to 
be asymptotically stable in the large, about the singular stable point X “ 
following conditions are to be satisfied: 

V > 0 , vx ® , V t (C19a) 



i = 1,2, . • • , n 

(C19b) 

i -D < 0, 

j ~ l,2,,..,n 

(C19c) 

/q, , w. , q . . w. . > 

11 11 11 11 

(q . . w, , + q . , w, , ) 

11.11 11 11 

(C19d) 

2 

1 — 1,2,..., n 



j = 1,2,..., n (1 

j in the cross-tems) 
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If the conditions of the theorem are satisfied, it is guaranteed that the time deriv- 
ative of the Lyapunov function will be negative-definite everywhere in the 
2n-dimensional vector space spanned by that is, 

Vjjj < 0 (C20) 

for -v-x(t) and vt, the function V(y) being therefore an admissible Lyapunov function 
for the system in equation (62) . 
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Figure 1. -Schematic block diagram of failure-detection system, including an observer. 



TIME, sec 

Figure 2.- Observer errors (residuals) for a third-order system, with actuator 

failure at Tf = 5 sec. 
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Figure 4.- FDS with primary and secondary observers 
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Figure 7.- The impact of plant parameter changes on e^(t). 
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8.- The modeling of plant - KF "mismatching" effects on the innovation 

stochastic process. 
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Figure 9.- Failure-detection system with adaptive primary/secondary observers. 
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The adaptation/tracking process of the adaptive primary/secondary 
observer with noisy measurements. 
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Figure 19.- The second observer output vector during adaptation, with noisy 

measurements . 
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